This is the second part in my series on reports provided in SharePoint.  Today I am going to focus on the OOTB SharePoint audit logs that will generate reports you can run as a site collection administrator.  The data gathering for these reports is not enabled by default so I will show you how to do that.  I will also discuss what you can get from the reports and how you can configure them to search for data you need.

You can view part one of this series by clicking here.

 SharePoint Site Collection Auditing

SharePoint will audit just about anything that happens within a site collection.  Auditing is tracked within the site collection’s content database so be careful to monitor and clean up as it can take over your available space (but I will get to this more later).  Auditing will track actions made against, sites, lists and libraries (including their contents), content types, and the security around all these items.  You can set your auditing to track all these items or only a select few if you wish.  Because auditing is tracked at the Site Collection level and down, users are required to be Site Collection Administrators in order to configure and generate the audit reports.

Configure Site Collection Auditing
  1. Navigate to the root of the site collection you wish to audit against
  2. Click on the settings cog and select Site Settings
  3. Under Site Collection Administration select Site collection audit settings

ConfigureAudit1

  1. Set “Automatically trim the audit log for this site?” to Yes.  If you do not select this option, the audit logs will continue to increase and will eventually take over your site collection’s available database space.
  2. Set the number of days you wish to maintain your audit logs.  Ensure this value meets your environment’s data retention policies.
  3. If you only want to store the data within SharePoint for a certain amount of time but want to maintain the logs much longer you can select a location to place the trimmed logs for long-term storage and then move them off to a new location.

ConfigureAudit2

  1. Next select the document (libraries) and item (lists) level auditing you wish to accomplish. Options for auditing include:
    • when an item is opened or downloaded or when the properties are viewed
    • when any component of an item (properties or item itself) are edited (or created)
    • when an item is checked out and checked in
    • when an item is moved or copied to another location
    • when an item is deleted or restored.
  2. Finally select the level at which you want to audit sites, lists and libraries.  Options for this level of auditing include:
    • when a content type or site column is modified (including created)
    • when content is searched
    • when permissions are modified
  3. It’s just my opinion, but if you are going to audit, you might as well audit it all.
  4. Once your options are selected, click OK.

ConfigureAudit3

View Audit Reports
  1. Navigate to the root of the site collection you wish to audit against
  2. Click on the settings cog and select Site Settings
  3. Under Site Collection Administration select Audit log reports

ViewAuditReports

Audit reports are divided up into three sections of pre-configured reports and an option to create your own custom report based on the available audit logs.

Content Activity Reports

These reports are built around tracking the content of your site collection.  It will report on things like when and by whom a document or list item was viewed, edited or deleted by someone.  You can also generate a report that will indicate any additions or changes to content types and list settings.

Information Management Policy Reports

You have two reports under this heading to choose from.  The first report (Policy modifications) will report on any changes (including creation) to the the rules that have been applied to the Information Management Policies of the site.  The second report (Expiration and Disposition) generates a report around documents that are expiring or ready for disposition

Security and Site Settings Reports

As in the information management reports, you have two predefined reports.  Auditing settings provides information when any audit settings were modified.  Security settings will generate a report on any security configurations that were modified.

To generate one of the predefined reports perform the following steps:

  1. Click on the predefined report you wish to run

CreateAuditReports

  1. Select the location you wish to store the report (note, you can’t select the report name, but can change it post-creation).
  2. Click Ok.
  3. Once the report is generated, you can access it at the save location or click on the link: “Click here to view the report” to open it directly.

ViewAuditReports2

 

Create Custom Report

You have the option of creating a custom report that can contain specific audit event types and can be further configured to report on a particular location to build report from, a date range to report on and if you are only looking at viewing the actions of a particular user, you can set those options as well.  To create a custom report perform the following steps:

  1. Select the save location
  2. If you wish to limit it to a site place a check mark in “Restrict this report to:” and then click on Browse to select a site to report on.
  3. If a particular date range is required, enter it in the Date Range section.  Including Start date and time and End Date and time.
  4. Select the user(s) you wish to report on.
  5. Select the events you are looking to generate the audit report from.
  6. Click OK.

CreateCustomAuditReports

Reading Audit Reports

Audit reports are generated with two tabs:

  • Audit Data – Table – provides a summary and count of the actions occurred.  The headings indicate what action occurred and the data within indicate how many times that action occurred.

ReadAuditLog1

  • Report Data 1 – this section provides the detailed information of the event being tracked.  It can contain the following information:
    • Site ID: The GUID of the site
    • Item ID: the GUID of the item that is being audited
    • Item Type: the type of item (Site Collection, Site, List, list item, etc).
    • User ID: user who caused the event to occur
    • Document Location: if a document where it is located when audit event occurred
    • Occurred (GMT): time the event occurred
    • Event: Type of event.  This corresponds to the headings in the Audit Data tab.
    • Custom Event Name: if this is a non standard SharePoint event then the name will go here.
    • Event Source: SharePoint unless from a custom app.  Then the feature GUID is displayed
    • Source Name: Name of custom source
    • Event Data: XML description of the event being audited
    • App ID: GUID of app that generated the event (if from an app).

ReadAuditLog2

So that covers the basics of OOTB reporting within SharePoint.  There is much more you can accomplish using Reporting services and custom code, but that is a post or posts for another day.

Thanks for reading!